MAP: Decrement TTL of payload IPv4 packet.

MAP: Disable direct adjacency domain lookup for decap until IPv4 SA security check is fixed.

Change-Id: If85ea73629e46cb09757fe842d79507cf54e37f3
Signed-off-by: Ole Troan <ot@cisco.com>

3 files changed, 36 insertions, 2 deletions

diff --git a/vnet/vnet/map/ip4_map.c b/vnet/vnet/map/ip4_map.c
index 6ed176c8e60..c8ee2764f23 100644
--- a/vnet/vnet/map/ip4_map.c
+++ b/vnet/vnet/map/ip4_map.c
@@ -156,6 +156,28 @@ ip4_map_ip6_lookup_bypass (vlib_buffer_t *p0, ip4_header_t *ip)
 }
 
 /*
+ * ip4_map_ttl
+ */
+static inline void
+ip4_map_decrement_ttl (ip4_header_t *ip, u8 *error)
+{
+  i32 ttl = ip->ttl;
+
+  /* Input node should have reject packets with ttl 0. */
+  ASSERT (ip->ttl > 0);
+
+  u32 checksum = ip->checksum + clib_host_to_net_u16(0x0100);
+  checksum += checksum >= 0xffff;
+  ip->checksum = checksum;
+  ttl -= 1;
+  ip->ttl = ttl;
+  *error = ttl <= 0 ? IP4_ERROR_TIME_EXPIRED : *error;
+
+  /* Verify checksum. */
+  ASSERT (ip->checksum == ip4_header_checksum(ip));
+}
+
+/*
  * ip4_map
  */
 static uword
@@ -345,6 +367,9 @@ ip4_map (vlib_main_t *vm,
        */
       port0 = ip4_map_port_and_security_check(d0, ip40, &next0, &error0);
 
+      /* Decrement IPv4 TTL */
+      ip4_map_decrement_ttl(ip40, &error0);
+
       /* MAP calc */
       u32 da40 = clib_net_to_host_u32(ip40->dst_address.as_u32);
       u16 dp40 = clib_net_to_host_u16(port0);
diff --git a/vnet/vnet/map/map.c b/vnet/vnet/map/map.c
index fe54f65454e..b7eb1f14839 100644
--- a/vnet/vnet/map/map.c
+++ b/vnet/vnet/map/map.c
@@ -681,7 +681,8 @@ format_map_domain (u8 *s, va_list *args)
     s = format(s, "  RX: %lld/%lld", v.packets, v.bytes);
     map_domain_counter_unlock(mm);
   }
-  
+  s = format(s, "\n");
+
   if (d->rules) {
     int i;
     ip6_address_t dst;
diff --git a/vnet/vnet/map/map.h b/vnet/vnet/map/map.h
index ae58cdb9120..95b842d4782 100644
--- a/vnet/vnet/map/map.h
+++ b/vnet/vnet/map/map.h
@@ -274,7 +274,8 @@ typedef struct {
  _(FRAGMENT_MEMORY, "could not cache fragment")	        \
  _(FRAGMENT_MALFORMED, "fragment has unexpected format")\
  _(FRAGMENT_DROPPED, "dropped cached fragment")         \
- _(MALFORMED, "malformed packet")
+ _(MALFORMED, "malformed packet")			\
+ _(IP4_ERROR_TIME_EXPIRED, "time expired")
 
 typedef enum {
 #define _(sym,str) MAP_ERROR_##sym,
@@ -392,6 +393,12 @@ ip6_map_get_domain (u32 adj_index, ip4_address_t *addr,
   map_main_t *mm = &map_main;
   ip4_main_t *im4 = &ip4_main;
   ip_lookup_main_t *lm4 = &ip4_main.lookup_main;
+
+  /*
+   * Disable direct MAP domain lookup on decap, until the security check is updated to verify IPv4 SA.
+   * (That's done implicitly when MAP domain is looked up in the IPv4 FIB)
+   */
+#ifdef MAP_NONSHARED_DOMAIN_ENABLED
   ip_lookup_main_t *lm6 = &ip6_main.lookup_main;
   ip_adjacency_t *adj = ip_get_adjacency(lm6, adj_index);
   ASSERT(adj);
@@ -400,6 +407,7 @@ ip6_map_get_domain (u32 adj_index, ip4_address_t *addr,
   *map_domain_index = p[0];
   if (p[0] != ~0)
     return pool_elt_at_index(mm->domains, p[0]);
+#endif
 
   u32 ai = ip4_fib_lookup_with_table(im4, 0, addr, 0);
   ip_adjacency_t *adj4 = ip_get_adjacency (lm4, ai);